So many of these "internet things" don't even begin to think about security that I'm wondering whether, as a society, we will wait for someone to be murdered by device hack before we start insisting on actual third party security audits on devices.

At least this Belkin device lacks a talk-to-the-baby feature (common on old-fashioned monitors), otherwise you'd have the delightful prospect of J Random Hacker screaming obscenities at the baby. Or more worryingly talking to your older children too (our five year old sometimes has ghastly nightmares so if we're going to be out in the garden for a while we use the old baby monitor)

What really seems to be necessary is a central "management panel" that would allow a home "administrator" to decide who gets to do what with which devices.

This would either require an in-home server, or (seemingly more likely) a cloud-based operator.

Unfortunately, the hard part for a set up like this is the same "hard part" for almost all home automation and internet of things initiatives - getting a vast majority of manufacturers to all sign on to a single standard way of doing something.

As we can see from the litany of communication standards in place for home automation (X10, UPB, Insteon, Z-Wave, ZigBee, and maybe more), getting manufacturers to all play nicely together is extremely difficult.

I wonder if this is really a problem we should start solving at the router level.

With the growing number of connected devices, is it really feasible or wise to rely on every device manufacturer to code securely? Perhaps we should adopt the model of isolating device on their own virtual network with only a standards based, limited, controlled, cross-entity interaction. High-end consumer routers almost have the virtual network part of this (in the form of guest networks), but controlled interaction is still lacking (maybe upnp is a start?).

To some extent, this is basically the route web browsers and OS's took in their relationship with web pages and processes, because they realized you need to build isolation into the architecture.

Seems the simplest solution at a personal level is to not buy into the 'internet of things'. If the package says WiFi enabled, control from your smart phone, or talks about 'te cloud' as the second coming of NikolaiTesla, don't spend the money.

"For homes that use a password for their Wi-Fi, our product is as secure as any item on that network," they wrote. "For someone to get access to the baby monitor a person would need to discover that password."

Which means is not secure at all, considering the type of passwords the average joe tends to use...

Basically, they seem to be saying "You got hacked and spied on?. Tough titties, you should have used a better password for your Wi-Fi connection"

Sounds like we're heading down the road (pun intended) as the CAN bus in cars. Basically open, not properly authenticated and easily subverted for malicious or nefarious reasons. Or just plain old script kiddies.

My wife and I have used the same old school video monitor for all our kids. It openly broadcasts on a 950 Mhz frequency. Everyone within a 500 foot radius can view the signal with a compatible receiver, which you can get at any Wal-Mart for $19.95.

This Belkin device is more secure, even with its flaws, than almost every traditional baby monitoring system. This is a positive start. As the "Internet of Things" evolves, a mainstream discussion of security will begin, resulting in better security for everyone.

"The internet of things": Because everybody knows that SCADA is so easy that it should be a consumer product!

In all seriousness, though, I find it hard to summon the slightest rational basis for optimism: One of two(or more likely a combination of them) outcomes seem like the only possible ones:

1. 'Internet of things' things are sold in a more or less chaotic vacuum, comparatively devoid of standards, after-sale support, or any of the other amenities that you don't get when you buy the cheapest router on the shelf(except that said cheapest router is probably standards compliant and multi-vendor interoperable). No central overlord exists; but constant failure by both incompetence and malice is moved from the inconvenient realm of 'eh, have to unplug the plastic box again' and into areas where it can cost actual money or do actual damage.

2. 'Internet of things' things are gradually 'standardized' in much the way that cable TV systems are (which is to say, there is a standardization body; but it exists pretty much entirely for the benefit of the vendors, not the customers, who are actively discouraged from taking advantage of interoperability or choices between better and worse products), and there is a strong emphasis on 'security' as in 'command and control', and the vile analytics slime work themselves into a frenzy dicing the details of our lives ever more finely.

I have nothing against the plucky home automation hobbyists or anything, they are endearing and harmless; but (just as BBS geeks bear little relationship to NSA internet surveillance; but similar behavior, once cheaper, easier, and more common, makes it possible), there is just no way that 'internet of things' is going to "consumerize" well.Either we'll be secure-as-in-letting-the-wolves-eat-the-livestock-is-bad-business, or we'll be mere prey.

A few years ago, when I was looking at building a HTPC, I ran across a quote that stopped me cold and changed my focus. I wish I could remember exactly where it was, but it was from someone who had built a HTPC, then scrapped it, saying "I realized I do not want to be a SysAdmin to my VCR".

This reminds me of that... I don't WANT to have to run Nessus scans against 1/2 of my household appliances on a regular basis. I love my iPhone, but for a baby monitor, I'll stick to either using a stand-alone, or simply staying within earshot.

A few years ago, when I was looking at building a HTPC, I ran across a quote that stopped me cold and changed my focus. I wish I could remember exactly where it was, but it was from someone who had built a HTPC, then scrapped it, saying "I realized I do not want to be a SysAdmin to my VCR".

This reminds me of that... I don't WANT to have to run Nessus scans against 1/2 of my household appliances on a regular basis. I love my iPhone, but for a baby monitor, I'll stick to either using a stand-alone, or simply staying within earshot.

I never did build that HTPC...

A HTPC is no different than a PC, other than you build it to be very quiet if not totally fanless. You iphone has far more vectors that a HTPC.

Don't know if anyone is surprised by this but they shouldn't be. If you know that something that can be hacked, most likely will be you'll be more wary of things like that. Or you won't care at all. Either way, at least you'd know.

Don't know why he needed a proof of concept. There was a story a few months ago about a guy doing this exact thing and talking to a couple's child.

A HTPC is no different than a PC, other than you build it to be very quiet if not totally fanless. You iphone has far more vectors that a HTPC.

Oh, I know that. My point being, how much "admin" time are we willing to dedicate for "convinience"? I use my iPhone ALL the time - and yes, I have management profiles on it pushed from my OS X server to help (to an extent) secure it. For watching TV? I simply decided the trade-off wasn't worth it. I went with watching Hulu/Netflix instead, and an HDMI cable from laptop to TV when necessary.

So many things are "out of sight, out of mind", but when my reciever has an IP address, my TV has an IP address, my baby monitor has an IP address, etc.... at some point we (if we are security-minded) simply run out of time. I do this stuff all day for work... when I get home, I don't want to patch/scan/mitigate, I want to watch TV, or play with the kid.

Speaking of the Internet of things and wifi, there are a lot of wifi things out there. I ran kismet once on a road trip. In the Mojave desert with nothing around I found a few weird wifi hits. One turned out to be wifi on a high voltage power tower, presumably to take readings. The other was wifi on a weather station set up by a railroad track. A number of radio repeater sites have wifi beams, perhaps for battery/temp monitoring.

A HTPC is no different than a PC, other than you build it to be very quiet if not totally fanless. You iphone has far more vectors that a HTPC.

Oh, I know that. My point being, how much "admin" time are we willing to dedicate for "convinience"? I use my iPhone ALL the time - and yes, I have management profiles on it pushed from my OS X server to help (to an extent) secure it. For watching TV? I simply decided the trade-off wasn't worth it. I went with watching Hulu/Netflix instead, and an HDMI cable from laptop to TV when necessary.

So many things are "out of sight, out of mind", but when my reciever has an IP address, my TV has an IP address, my baby monitor has an IP address, etc.... at some point we (if we are security-minded) simply run out of time. I do this stuff all day for work... when I get home, I don't want to patch/scan/mitigate, I want to watch TV, or play with the kid.

All about trade offs.

Well, you have to maintain that laptop ya know!

I run a number of computers, but try to limit the vectors. For instance, don't put email on the HTPC. I use a BlackBerry for my email most of the time, with my only "wired" email going to one linux computer running claws. Of course the browser has vectors, but you don't surface from the HTPC. Now you could use a Roku or Apple TV, but who knows what privacy/security concerns there are in those platforms.

A HTPC is no different than a PC, other than you build it to be very quiet if not totally fanless. You iphone has far more vectors that a HTPC.

Oh, I know that. My point being, how much "admin" time are we willing to dedicate for "convinience"? I use my iPhone ALL the time - and yes, I have management profiles on it pushed from my OS X server to help (to an extent) secure it. For watching TV? I simply decided the trade-off wasn't worth it. I went with watching Hulu/Netflix instead, and an HDMI cable from laptop to TV when necessary.

So many things are "out of sight, out of mind", but when my reciever has an IP address, my TV has an IP address, my baby monitor has an IP address, etc.... at some point we (if we are security-minded) simply run out of time. I do this stuff all day for work... when I get home, I don't want to patch/scan/mitigate, I want to watch TV, or play with the kid.

All about trade offs.

Well, you have to maintain that laptop ya know!

I run a number of computers, but try to limit the vectors. For instance, don't put email on the HTPC. I use a BlackBerry for my email most of the time, with my only "wired" email going to one linux computer running claws. Of course the browser has vectors, but you don't surface from the HTPC. Now you could use a Roku or Apple TV, but who knows what privacy/security concerns there are in those platforms.

To most, simple ignorance mutes the concern, I feel most people are unaware of the risks associated with the adoption of this and any wireless technology... Education of our youth, to think about IT security as a role in the implementation of technology, could promote new ways to solve this ever-present issue.

At least this Belkin device lacks a talk-to-the-baby feature (common on old-fashioned monitors), otherwise you'd have the delightful prospect of J Random Hacker screaming obscenities at the baby. Or more worryingly talking to your older children too (our five year old sometimes has ghastly nightmares so if we're going to be out in the garden for a while we use the old baby monitor)

I don't know what degree of control this device has, but speakers can be used as microphones and microphones can be used as speakers, although the sound quality is often poor when used for the other function. That would mean that if they could get the feature, JRH could scream horribly distorted obscenities at the baby.

Don't know if anyone is surprised by this but they shouldn't be. If you know that something that can be hacked, most likely will be you'll be more wary of things like that. Or you won't care at all. Either way, at least you'd know.

Don't know why he needed a proof of concept. There was a story a few months ago about a guy doing this exact thing and talking to a couple's child.

At least this Belkin device lacks a talk-to-the-baby feature (common on old-fashioned monitors), otherwise you'd have the delightful prospect of J Random Hacker screaming obscenities at the baby. Or more worryingly talking to your older children too (our five year old sometimes has ghastly nightmares so if we're going to be out in the garden for a while we use the old baby monitor)

I don't know what degree of control this device has, but speakers can be used as microphones and microphones can be used as speakers, although the sound quality is often poor when used for the other function. That would mean that if they could get the feature, JRH could scream horribly distorted obscenities at the baby.

I think we will end up with a solution eventually. The question is how much pain we are willing endure in the meantime.

For the home server idea, that is probably the most likely concept to emerge in the future, but it will take a long time for someone to establish a standard that is universally accepted, is lite enough to not get in your way all the time, and is easy enough to use that consumers will embrace it. Microsoft seems to be in a good position to establish this kind of “Home Server”, but hasn’t ever really embraced the role of a real, no kidding, functional home server. Their recent attempts are not the first time they have tried something in the home server market. They have been puzzling over it and bumbling around it since at least the mid-90’s and never quite getting it right. I think that Microsoft could do this, but lacks the focus and will. I have been amazed that so much angst has been directed towards the interface in Windows 8 (which I am agnostic about – I don’t personally like Metro, but, as a power user, I have no issue with getting it out of my way and driving on with my life) while there has only been niche focus on their failed home server concept. If Microsoft developed a truly useful consumer based home server that did things like embrace “the internet of things” in a meaningful way, that may be a product consumers would actually use. For the record, I liked Microsoft’s recent Home Server concepts, but they were admittedly hard sells to the consumer public.

Like it or not, Apple does better in this space. Their “ecosystem” is better integrated, works well between devices and is easy to set up. I am not saying they are any more inherently “secure” than anything else, but they have learned how to sell home networking of “things” to the public in a practical way. This also puts them in a good position to come up with a standard for the internet of things, but I doubt they will embrace it much since, frankly, it is not very sexy. I find it hard to imagine a conversation in Apple headquarters that starts with “I think we should develop a standard to make sure our washing machines are secure.”

Google also has an opportunity here. This actually seems to fit in more with their line of research and development since they seem to embrace everything from the mundane to outrageous.

As far as whether this will happen at all, I think it will. For the most part, all wireless transitions in the consumer space have gone through a similar set of security growing pains. Look at the history of the plain old home cordless phone. Although the technology for the cordless phone was developed during World War II and patented in the 1960’s, it didn’t hit consumers in a meaningful way until Ma Bell got broken up in the early 80’s. Then, suddenly, cordless phones exploded into the consumer space. The original 1.7 MHz phones gave way to the 40-50 MHz FM phones pretty quickly, but it didn’t take long until virtually everyone realized that they were all totally unsecure and as easy to hack as sitting outside with the appropriate radio scanner. This didn’t truly get resolved until DSS was implemented widely in the 1990’s. Technically, DSS is not even that secure, but it is secure enough that the average person feels comfortable talking on their landline without worrying about whether the guy next door is listening. That is where we need to get to – an acceptable central control standard that is easy to use (in other words, you plug it in and it works) and is reasonably secure enough for 99% of consumer use-cases.

I think we will end up with a solution eventually. The question is how much pain we are willing endure in the meantime.

For the home server idea, that is probably the most likely concept to emerge in the future, but it will take a long time for someone to establish a standard that is universally accepted, is lite enough to not get in your way all the time, and is easy enough to use that consumers will embrace it. Microsoft seems to be in a good position to establish this kind of “Home Server”, but hasn’t ever really embraced the role of a real, no kidding, functional home server. There recent attempts are not the first time they have tried something in the home server market. They have been puzzling over it and bumbling around it since at least the mid-90’s and never quite getting it right. I think that Microsoft could do this, but lacks the focus and will. I have been amazed that so much angst has been directed towards the interface in Windows 8 (which I am agnostic about – I don’t personally like Metro, but, as a power user, I have no issue with getting it out of my way and driving on with my life) while there has only been niche focus on their failed home server concept. If Microsoft developed a truly useful consumer based home server that did things like embrace “the internet of things” in a meaningful way, that may be a product consumers would actually use. For the record, I liked Microsoft’s recent Home Server concepts, but they were admittedly hard sells to the consumer public.

Like it or not, Apple does better in this space. Their “ecosystem” is better integrated, works well between devices and is easy to set up. I am not saying they are any more inherently “secure” than anything else, but they have learned how to sell home networking of “things” to the public in a practical way. This also puts them in a good position to come up with a standard for the internet of things, but I doubt they will embrace it much since, frankly, it is not very sexy. I find it hard to imagine a conversation in Apple headquarters that starts with “I think we develop a standard to make sure our washing machines are secure.”

Google also an opportunity here. This actually seems to fit in more with their line of research and development since they seem to embrace everything from the mundane to outrageous.

As far as whether this will happen at all, I think it will. For the most part, all wireless transitions in the consumer space have gone through a similar set of security growing pains. Look at the history of the plain old home cordless phone. Although the technology for the cordless phone was developed during World War II and patented in the 1960’s, it didn’t hit consumers in a meaningful way until Ma Bell got broken up in the early 80’s. Then, suddenly, cordless phones exploded into the consumer space. The original 1.7 MHz phones gave way to the 40-50 MHz FM phones pretty quickly, but it didn’t take long until virtually everyone realized that they were all totally unsecure and as easy to hack as sitting outside with the appropriate radio scanner. This didn’t truly get resolved until DSS was implemented widely in the 1990’s. Technically, DSS is not even that secure, but it is secure enough that the average person feels comfortable talking on their landline without worrying about whether the guy next door is listening. That is where we need to get to – an acceptable central control standard that is easy to use (in other words, you plug it in and it works) and is reasonably secure enough for 99% of consumer use-cases.

You left out the NAS market as a stealth entry into the home server market.

You left out the NAS market as a stealth entry into the home server market.

Interesting point. I kind of think, though, that this level of standardization (we are literally talking about most of the electronics in your home, eventually) would require a major player to step up and embrace it. Getting the device or utility manufacturers to agree seems unlikely (since they have a vested interest in pushing their standard on their device). The NAS market is in a great position to do this from a technical standpoint, but doesn't have the penetration into the consumer market to get the average Best Buyer to embrace it. That is why I mentioned Microsoft, Google and Apple - they seem to be in the best positions to do it, but I am just not sure they will.

You left out the NAS market as a stealth entry into the home server market.

Interesting point. I kind of think, though, that this level of standardization (we are literally talking about most of the electronics in your home, eventually) would require a major player to step up and embrace it. Getting the device or utility manufacturers to agree seems unlikely (since they have a vested interest in pushing their standard on their device). The NAS market is in a great position to do this from a technical standpoint, but doesn't have the penetration into the consumer market to get the average Best Buyer to embrace it. That is why I mentioned Microsoft, Google and Apple - they seem to be in the best positions to do it, but I am just not sure they will.

It's likely for ease of initial setup it'd have to ship with some insecure settings, but once setup it should set itself to be pretty secure. What would be great is for a few people (X10, etc) to get together and agree on an interoperable basic protocol & security behavior. That way we don't have 3 or 10 different ways to setup & secure & devices to talk to our other devices.

My wife and I have used the same old school video monitor for all our kids. It openly broadcasts on a 950 Mhz frequency. Everyone within a 500 foot radius can view the signal with a compatible receiver, which you can get at any Wal-Mart for $19.95.

This Belkin device is more secure, even with its flaws, than almost every traditional baby monitoring system. This is a positive start. As the "Internet of Things" evolves, a mainstream discussion of security will begin, resulting in better security for everyone.

"If you're not picking up a stranger's communication, try changing the channel on your device."

I agree with you, and if I had to choose between a creep eavesdropping on what happens in my hypothetical baby's room from in the vicinity versus on the internet, I'd rather not have a creep nearby. But, it's a false choice, I secure my internet, have a separate guest network, so I'd feel pretty safe using something like this.

In time the security problems that arise will bring about solutions that are both secure and relatively painless from the user end.

Any device that wants to accept control/communication with another device really should require some kind of explicit "pairing" action. There are various forms of this, ranging from a more rigorous approach where a one-time code displayed on one device must be entered on the other, to a prompt like "Do you want to allow Joe's iPhone to connect?" There are even dirt-simple methods suitable for devices with minimal UI, where the target device is put momentarily into a pairing "mode" that will accept the first device that connects (ideally with some way to easily "re-do" the last pairing, in case something malicious snuck in there before you did).

Behind the scenes, I presume the devices exchange public keys. From then on, data or commands from one device to another are signed with the originating device's private key (and perhaps encrypted with the intended receiver's public key, if content privacy is needed), and the receiver verifies the signature using the previously-shared public key of the sender, decrypting with its own private key if needed. No silly passwords to forget, no pleading with people to use complex passwords, no requirement that people know how to secure their WiFi, etc.

This approach removes the need for a central server or Internet access. It doesn't even require some industry-standard, master access control protocol, because in most cases, the things talking to each other have some pre-existing knowledge of each other (e.g. it's Belkin's monitor, and Belkin's smartphone app, so they can use whatever pairing protocol they've agreed upon in advance).

I also don't think it's too much to ask consumers to go through such a process when setting up a new device. Especially when a smartphone or computer is involved, the user can be guided through this quite easily. I think people will accept a one-time, single-step, push-button type thing if it's well designed and explained.

I would personally stay away from home device that doesn't provide this simple security step, because it's a sign that the maker wasn't thinking much about security at all.

"If you're not picking up a stranger's communication, try changing the channel on your device."

I agree with you, and if I had to choose between a creep eavesdropping on what happens in my hypothetical baby's room from in the vicinity versus on the internet, I'd rather not have a creep nearby. But, it's a false choice, I secure my internet, have a separate guest network, so I'd feel pretty safe using something like this.

I used to agree, but the various webcam blackmails we're seeing reported here and elsewhere have done a fair bit to change my mind on that. Securing my network is fine, but what if it's a home security device that I can view off-premises? Once it's speaking to something off premises, there has to be some dimension that can be compromised. I may be annoyed at my lights flipping on and off, but if my heater is shut off while I'm on vacation in January, the resulting damage from frozen and burst pipes could be quite expensive.

This is a realm where I'm not trying to spread FUD or even saying we need "bulletproof". I am saying we need manufacturer responsibility in a new industry where there currently isn't very much to be found.

"If you're not picking up a stranger's communication, try changing the channel on your device."

I agree with you, and if I had to choose between a creep eavesdropping on what happens in my hypothetical baby's room from in the vicinity versus on the internet, I'd rather not have a creep nearby. But, it's a false choice, I secure my internet, have a separate guest network, so I'd feel pretty safe using something like this.

I used to agree, but the various webcam blackmails we're seeing reported here and elsewhere have done a fair bit to change my mind on that. Securing my network is fine, but what if it's a home security device that I can view off-premises? Once it's speaking to something off premises, there has to be some dimension that can be compromised. I may be annoyed at my lights flipping on and off, but if my heater is shut off while I'm on vacation in January, the resulting damage from frozen and burst pipes could be quite expensive.

This is a realm where I'm not trying to spread FUD or even saying we need "bulletproof". I am saying we need manufacturer responsibility in a new industry where there currently isn't very much to be found.

That's a good point about the thermostat. My initial thought was "who cares what's heard on a baby monitor?", but I'm currently shopping for security systems for my new house and I wouldn't want to be caught assuming that the surveillance cameras are more secure than this baby monitor.

A password is still the primary security measure for so many systems that are of higher importance than our thermostats and baby monitors, it seems like at least manufacturers made the security vs usability decision knowing the security problems. As devices become more common, manufacturers will likely offer versions with greater security.

Don't know if anyone is surprised by this but they shouldn't be. If you know that something that can be hacked, most likely will be you'll be more wary of things like that. Or you won't care at all. Either way, at least you'd know.

Don't know why he needed a proof of concept. There was a story a few months ago about a guy doing this exact thing and talking to a couple's child.

There's a difference between an anecdote and a security analysis.

I can't tell if that was snarky or not but perhaps I misspoke in the not knowing why he needed it. I'm guessing it was more the phrase of proof of concept.

So many of these "internet things" don't even begin to think about security that I'm wondering whether, as a society, we will wait for someone to be murdered by device hack before we start insisting on actual third party security audits on devices.

EDIT: like you have that UL logo on that cheap extension cord.

like many things, people take that UL for granted. it breeds apathy. people think "of course 120V AC lines are safe." they are only safe now that someone says they must be safe and people have died.

Eventually regulation will come to this industry. Distributing code will require a licence. OSes will be secure or they will not be allowed to be distributed, and 2 generations from now, the kids will say "of course no one can steal my pictures"

"If you're not picking up a stranger's communication, try changing the channel on your device."

I agree with you, and if I had to choose between a creep eavesdropping on what happens in my hypothetical baby's room from in the vicinity versus on the internet, I'd rather not have a creep nearby. But, it's a false choice, I secure my internet, have a separate guest network, so I'd feel pretty safe using something like this.

I used to agree, but the various webcam blackmails we're seeing reported here and elsewhere have done a fair bit to change my mind on that. Securing my network is fine, but what if it's a home security device that I can view off-premises? Once it's speaking to something off premises, there has to be some dimension that can be compromised. I may be annoyed at my lights flipping on and off, but if my heater is shut off while I'm on vacation in January, the resulting damage from frozen and burst pipes could be quite expensive.

This is a realm where I'm not trying to spread FUD or even saying we need "bulletproof". I am saying we need manufacturer responsibility in a new industry where there currently isn't very much to be found.

That's a good point about the thermostat. My initial thought was "who cares what's heard on a baby monitor?", but I'm currently shopping for security systems for my new house and I wouldn't want to be caught assuming that the surveillance cameras are more secure than this baby monitor.

A password is still the primary security measure for so many systems that are of higher importance than our thermostats and baby monitors, it seems like at least manufacturers made the security vs usability decision knowing the security problems. As devices become more common, manufacturers will likely offer versions with greater security.

I've posted this once before, but perhaps the story bears repeating again. I had a a gate installed by a profession gate/door company. Said company puts in a code for their maintenance crew into every installation. Make that the same freakin' code everywhere, AKA a back door. This is the corporate mentality you find these days.

I really hate to say this, but unless you build it yourself, you will never know if any internet device is safe. Now if you can run the device behind a VPN, you have some security.

Infiltrate the network, then start monitoring the connected devices over time. Set up a website where you sell information on properties in a specific area extrapolated from that data such as wealth level, normal routine, whether they're on holiday at the moment. And have it silently collecting that information over a matter of years.

How do you know they're out for the evening? No ones turned on the lights, or no ones opened the fridge this evening. Want to know when their going away, the fridge isn't restocked, or depending on the fridge they've just told the fridge that they're on holiday so suspend regular orders.

"If you're not picking up a stranger's communication, try changing the channel on your device."

I agree with you, and if I had to choose between a creep eavesdropping on what happens in my hypothetical baby's room from in the vicinity versus on the internet, I'd rather not have a creep nearby. But, it's a false choice, I secure my internet, have a separate guest network, so I'd feel pretty safe using something like this.

I used to agree, but the various webcam blackmails we're seeing reported here and elsewhere have done a fair bit to change my mind on that. Securing my network is fine, but what if it's a home security device that I can view off-premises? Once it's speaking to something off premises, there has to be some dimension that can be compromised. I may be annoyed at my lights flipping on and off, but if my heater is shut off while I'm on vacation in January, the resulting damage from frozen and burst pipes could be quite expensive.

This is a realm where I'm not trying to spread FUD or even saying we need "bulletproof". I am saying we need manufacturer responsibility in a new industry where there currently isn't very much to be found.

That's a good point about the thermostat. My initial thought was "who cares what's heard on a baby monitor?", but I'm currently shopping for security systems for my new house and I wouldn't want to be caught assuming that the surveillance cameras are more secure than this baby monitor.

A password is still the primary security measure for so many systems that are of higher importance than our thermostats and baby monitors, it seems like at least manufacturers made the security vs usability decision knowing the security problems. As devices become more common, manufacturers will likely offer versions with greater security.

I've posted this once before, but perhaps the story bears repeating again. I had a a gate installed by a profession gate/door company. Said company puts in a code for their maintenance crew into every installation. Make that the same freakin' code everywhere, AKA a back door. This is the corporate mentality you find these days.

I really hate to say this, but unless you build it yourself, you will never know if any internet device is safe. Now if you can run the device behind a VPN, you have some security.

Wow, that's ridiculous. The house I bought has an ADT system built in, I'm sure they're a fine company, but I'm ripping it all out and installing my own equipment, nice to have the wiring in place though. I still feel pretty good about being able to secure the dedicated security system network, but I'll be doing additional research on the devices I buy for sure.